Gen.Variant.MSILDownloader.1_a2d2e1cc1e

Gen:Variant.MSILDownloader.1 (BitDefender), HEUR:Trojan-Spy.MSIL.Agent.gen (Kaspersky), Trojan.Hosts.44827 (DrWeb), Gen:Variant.MSILDownloader.1 (B) (Emsisoft), Artemis!A2D2E1CC1ED2 (McAfee), Trojan.G...
Blog rating:1.8 out of5 with5 ratings

Gen.Variant.MSILDownloader.1_a2d2e1cc1e

by malwarelabrobot on June 21st, 2018 in Malware Descriptions.

Gen:Variant.MSILDownloader.1 (BitDefender), HEUR:Trojan-Spy.MSIL.Agent.gen (Kaspersky), Trojan.Hosts.44827 (DrWeb), Gen:Variant.MSILDownloader.1 (B) (Emsisoft), Artemis!A2D2E1CC1ED2 (McAfee), Trojan.Gen.2 (Symantec), Gen:Variant.MSILDownloader.1 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0OFC18 (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a2d2e1cc1ed29bad211833f9cab40dda
SHA1: 7552c36d69dbd28dbbdfc06277213d2415eee72a
SHA256: 4d4f4a107d2de94e00016f28debc0088194ac3da0c881ea6994db03097b04127
SSDeep: 12288:egkfPcISkEPV5zJFIysBq4RCqZ61sAbN5a1ZlnAsXnskXhr6s9XKkA96rwAFDSt9:zAcIS9PwC3AZNA0BXhrXkIlB7wuQ
Size: 1701888 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-10 02:01:38
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2428
GoogleUpdate.exe:2276
GoogleUpdate.exe:3604
GoogleUpdate.exe:2348
GoogleUpdate.exe:2564
GoogleUpdate.exe:1860
GoogleUpdateSetup.exe:1080

The Trojan injects its code into the following process(es):

%original file name%.exe:3560
UI0Detect.exe:2516
UI0Detect.exe:2580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{28C25E36-1EF8-4804-B6DD-549F255A2B2E}-GoogleUpdateSetup.exe (0 bytes)

The process GoogleUpdate.exe:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process %original file name%.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (3 bytes)

The process GoogleUpdateSetup.exe:1080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser.dll (206 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUT8FC1.tmp (7 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM8FC0.tmp (32 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (41 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM8FC0.tmp (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psuser.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUT8FC1.tmp (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM8FC0.tmp\goopdateres_et.dll (0 bytes)

Registry activity

The process GoogleUpdate.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529391604"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529391604"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{86761C6E-422F-4028-98C4-6C1C93DB274D}]
"PersistedPingTime" = "131739454210074299"
"PersistedPingString" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
"PersistedPingString" = ""

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529391604"
"ping_freshness" = "{CB034849-EBEC-47F7-8998-F2ABC84F8CDE}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529471828"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{009DFB2D-DA35-4DD7-A67C-6E7343845DFA}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529391604"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
"PersistedPingTime" = "131739454286826433"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4187"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{0A42FD49-3C11-4F3B-871E-696636424042}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529471828"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529391604"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{86761C6E-422F-4028-98C4-6C1C93DB274D}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{C3174DA0-6EBA-4BDF-8DB6-4E35B7D6CDAE}]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

The process GoogleUpdate.exe:2348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
"PersistedPingTime" = "131739454698380157"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529471869"

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529471869"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
"PersistedPingString" = ""

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{89A6FAA6-F6B0-4A72-B8F3-5527E75894CB}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process %original file name%.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
6c718849d436a7ccebed72538f8bd04b c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe
d2f56e366f1cb26866a6f43bd53b46c3 c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe
92ee791a630830452485e8e375f8db35 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe
8171211b809414b6d8a8e4f6ea8cf140 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateBroker.exe
03b587bfaf6dd67b330ccb6fb99ca59a c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe
678dd73ca364411bcf431892b8f878da c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe
96e08eb0d929c279536bdbbc543da8fb c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateSetup.exe
063ca1017835923689c4957562ea2862 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe
463a426da94fc2418a713ceebb799e22 c:\Program Files\Google\Update\1.3.33.17\goopdate.dll
e433408ca45786f9b6b7873709f57eba c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll
9d85c8517de4db2380aa14593d8a899a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll
f376765117f5b82123ec1f4fd352fb9c c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll
4a5e2fac15b93b43a2ee673e2e111478 c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll
230fe7b526bde7aff33b616618a8d05a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll
9b598c6a4d3d9586f93feca20f51da70 c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll
b1bd2d1889f42f20aeac5f1998d8b21b c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll
e5ea4068551b3ac782d955a699222067 c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll
68cf3b8fef6b56cd583e8c30ae8ca563 c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll
2087af32c82c00e32094ae86dcf35607 c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll
9c2a3eec41cd4effd6ffecaa910dd7da c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll
7c7c2b897c7107e910eab8b669c93738 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll
73ccbf92e13acc6389bb9f7dd04935b6 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll
a2cb2c0b126c87336bc2b29a3e995dc5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll
1d688c7571f047a36b585d810e02067f c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll
81f8d0fbff693910fedc808047cdf156 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll
6cec555d88a69bdb910188c2b53b19a3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll
598294ce0043943aa4cc04edc139e6c8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll
7d3a8a7aec219fcbecacd04f1ad66053 c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll
0a9a7354a95c559a4093f24fff784911 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll
de931037c2f487efa900aa6590cac9e0 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll
456664b46a1948b0df8785bd5b87f858 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll
43a73db8674c025026ed4cad9359a574 c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll
5e609c7d0ab38fa244949da75da04a1b c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll
d002a3352574a6e6999a6f2c23566745 c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll
ffef2d63908222cacee0e40c138d5986 c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll
b71ff4a60875f30db7e492d4806f0c92 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll
c6a1c2e334df66970a03b30539757f36 c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll
fb58fffc04f44137610caae567cfaf6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll
3b033e1092474acd6b7cfcf01a999d34 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll
3b00a99d877881ba0fc786fdd8e3b426 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll
157bf7b8eca4bc66d5c7fb3e358d5c58 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll
7c864e8d77ebe0bc8451ade4f67f68b3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll
225c45af996ebf983800025ea32f6c18 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll
2b04cd187acac2019e13195a3cc53a31 c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll
38651bcc330768d3e74763452a8e46e2 c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll
531e1fca96b1cc6dfbb74c2e96d990c7 c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll
237642b8bddfe765e073a3aa6c29ca0a c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll
298f4f2bd4e7b962615bcf0ed3d673ca c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll
ea1ef744fb8ba02148b362adeac70952 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll
774b5644ad40e4d3863d81a7d30d4fae c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll
6ffd62c9d080288bcc95816afd018048 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll
d7b41237faca93b3d0666e4fd38092b8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll
25bbd03fc02f7daa9168dce7dfaef624 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll
e645c5eb4401b5e443a9744fc141b2f5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll
2f111d7785bfcd6b4228df0cdf353407 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll
8bb63ae799037b02a89c42408abf755a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll
2f40316ac456b383c58be478daf69ce9 c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll
cdc5e8fdba12f79c056bcf3085335ac5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll
811ac46d616f94ae885175863e0ce95d c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll
23725511dd277f08993bbfbaf27123c1 c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll
3edc8f630a94d57674097194540a9f6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll
baff2a81498cb67c560d443e96153060 c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll
6c2d04d599eb5b4549653d030d9d6550 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll
f66719fb333de285e6edd1fd20e0edf8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll
671e1e25f6f08809863bb9aed544e70e c:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll
cca7a6b6c2bce1e8af12a95f69c4cc8f c:\Program Files\Google\Update\1.3.33.17\psmachine.dll
edad26bca1696d23ecb9dc3ab48fd551 c:\Program Files\Google\Update\1.3.33.17\psmachine_64.dll
c2762290bb2ece339d4c63f7a8a6acc8 c:\Program Files\Google\Update\1.3.33.17\psuser.dll
58b48e4352559d4d76776377fde5df0c c:\Program Files\Google\Update\1.3.33.17\psuser_64.dll
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3039 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 hilebol.online
127.0.0.1 www.hilebol.online
127.0.0.1 hilebol.online/
127.0.0.1 www.hilebol.online/
127.0.0.1 https://hilebol.online/
127.0.0.1 https://hilebol.online
127.0.0.1 link.tl
127.0.0.1 www.link.tl
127.0.0.1 link.tl/
127.0.0.1 www.link.tl/
127.0.0.1 https://link.tl/
127.0.0.1 https://link.tl
127.0.0.1 tr.link
127.0.0.1 www.tr.link
127.0.0.1 tr.link/
127.0.0.1 www.tr.link/
127.0.0.1 https://tr.link/
127.0.0.1 https://tr.link
127.0.0.1 pnd.tl
127.0.0.1 www.pnd.tl
127.0.0.1 pnd.tl/
127.0.0.1 www.pnd.tl/
127.0.0.1 https://www.pnd.tl/
127.0.0.1 https://pnd.tl
127.0.0.1 memoryhackers.net
127.0.0.1 www.memoryhackers.net
127.0.0.1 memoryhackers.net/
127.0.0.1 www.memoryhackers.net/
127.0.0.1 https://basetarama.blogspot.com.tr/
127.0.0.1 https://basetarama.blogspot.com.tr
127.0.0.1 www.basetarama.blogspot.com.tr/
127.0.0.1 www.basetarama.blogspot.com.tr
127.0.0.1 basetarama.blogspot.com
127.0.0.1 basetarama.blogspot.com/
127.0.0.1 www.basetarama.blogspot.com
127.0.0.1 www.basetarama.blogspot.com/
127.0.0.1 https://www.hileplus.com/
127.0.0.1 www.hileplus.com
127.0.0.1 www.hileplus.com/
127.0.0.1 https://www.hileplus.com
127.0.0.1 hileplus.com/
127.0.0.1 hileplus.com/
127.0.0.1 http://www.hilenbizde.com/
127.0.0.1 http://www.hilenbizde.com
127.0.0.1 www.hilenbizde.com
127.0.0.1 www.hilenbizde.com/
127.0.0.1 hilenbizde.com
127.0.0.1 hilenbizde.com/
127.0.0.1 http://www.guncelhileindir.net
127.0.0.1 http://www.guncelhileindir.net/
127.0.0.1 guncelhileindir.net
127.0.0.1 guncelhileindir.net/
127.0.0.1 www.guncelhileindir.net
127.0.0.1 www.guncelhileindir.net/
127.0.0.1 https://baksen.org
127.0.0.1 https://baksen.org/
127.0.0.1 baksen.org
127.0.0.1 baksen.org/
127.0.0.1 www.baksen.org
127.0.0.1 www.baksen.org/
127.0.0.1 http://oyunhilecik.com
127.0.0.1 http://oyunhilecik.com/
127.0.0.1 oyunhilecik.com
127.0.0.1 oyunhilecik.com/
127.0.0.1 www.oyunhilecik.com
127.0.0.1 www.oyunhilecik.com/
127.0.0.1 http://www.guncelhileindir.net
127.0.0.1 http://www.guncelhileindir.net/
127.0.0.1 guncelhileindir.net
127.0.0.1 guncelhileindir.net/
127.0.0.1 www.guncelhileindir.net


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: nvidia
Product Name: nvidia
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2018
Legal Trademarks: nvidia
Original Filename: Tanilama Sorun Giderme Sihirbazi.exe
Internal Name: Tanilama Sorun Giderme Sihirbazi.exe
File Version: 1.0.0.0
File Description: nvidia
Comments: nvidia
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1684548 1684992 4.04728 5bd1d1e5c64a253622ff4432b0651c2c
.rsrc 1695744 15368 15872 2.90165 d0754f113e382b10c2bbb3ce4629b5df
.reloc 1712128 12 512 0.070639 35afd37a619a37217246995b49e75eeb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529471712&mv=m&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA=
hxxp://cs9.wac.phicdn.net/sha2-ha-server-g6.crl
hxxp://rvip1.ue.cachefly.net/sha2-ha-server-g6.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl
hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529471712&mv=m&pcm2cms=yes&pl=24&shardbypass=yes 80.91.179.80
hxxp://crl4.digicert.com/sha2-ha-server-g6.crl 66.225.197.197
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= 93.184.220.29
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl 77.222.148.96
hxxp://crl3.digicert.com/sha2-ha-server-g6.crl 93.184.220.29
hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml 152.199.19.161
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= 93.184.220.29
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe 172.217.21.206
tools.google.com 172.217.21.206
update.googleapis.com 172.217.21.195


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:2428
    GoogleUpdate.exe:2276
    GoogleUpdate.exe:3604
    GoogleUpdate.exe:2348
    GoogleUpdate.exe:2564
    GoogleUpdate.exe:1860
    GoogleUpdateSetup.exe:1080

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Google\Update\Install\{DE396D46-002C-4560-9490-D50743627705}\GoogleUpdateSetup.exe (7596 bytes)
    %Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_en.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
    %Program Files%\GUM8FC0.tmp\goopdate.dll (49 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.31.5 (28 bytes)
    C:\Windows\System32\drivers\etc\hosts (3 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_mr.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\psmachine.dll (206 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_sl.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_de.dll (45 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_it.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_es-419.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_fi.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\psuser.dll (206 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_sk.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_da.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_id.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_lt.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_am.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_uk.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_hi.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\psuser_64.dll (248 bytes)
    %Program Files%\GUM8FC0.tmp\psmachine_64.dll (248 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_hu.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_el.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleCrashHandler.exe (550 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ur.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_iw.dll (40 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_kn.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_no.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_tr.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ru.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_vi.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_fr.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_sw.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_bg.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_hr.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateCore.exe (838 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_is.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_gu.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_nl.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ro.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_pl.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_sr.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ca.dll (44 bytes)
    %Program Files%\GUT8FC1.tmp (7 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_th.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_fil.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_te.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ja.dll (39 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ms.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ta.dll (45 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ml.dll (46 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_fa.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_sv.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_bn.dll (44 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ko.dll (38 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_cs.dll (43 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateBroker.exe (96 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_es.dll (45 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_et.dll (42 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\GUM8FC0.tmp\GoogleUpdate.exe (308 bytes)
    %Program Files%\GUM8FC0.tmp\goopdateres_ar.dll (41 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1.8 (5 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now